From ba94323c8dc063eaf91f15875da789cf6447bc53 Mon Sep 17 00:00:00 2001
From: 12ww1160 <arne_teuke@confdroid.com>
Date: Mon, 8 Dec 2025 16:30:44 +0100
Subject: [PATCH]  OP#232 add file control for tla

---
 .vscode/settings.json             |  3 +++
 manifests/params.pp               | 16 ++++++++++++
 manifests/puppetdb/files.pp       | 42 +++++++++++++++++++++++++++++++
 templates/puppetdb/ca.crt.erb     |  1 +
 templates/puppetdb/server.crt.erb |  1 +
 templates/puppetdb/server.key.erb |  1 +
 6 files changed, 64 insertions(+)
 create mode 100644 templates/puppetdb/ca.crt.erb
 create mode 100644 templates/puppetdb/server.crt.erb
 create mode 100644 templates/puppetdb/server.key.erb

diff --git a/.vscode/settings.json b/.vscode/settings.json
index a507875..344101d 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -4,6 +4,7 @@
         "asctime",
         "basedirt",
         "cachedir",
+        "Changeme",
         "devel",
         "fastapi",
         "getenv",
@@ -17,6 +18,8 @@
         "logappender",
         "NOFILE",
         "operatingsystemrelease",
+        "pptd",
+        "pptdb",
         "Puppetfile",
         "pydantic",
         "pylint",
diff --git a/manifests/params.pp b/manifests/params.pp
index 6ccb6ae..8a7f543 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -60,6 +60,10 @@
 # @param [Boolean] pt_repl_on toggle the remote repl true false
 # @param [String] pt_repl_port What port the REPL should listen on
 # @param [String] pt_repl_host IP address to listen on
+# @param [Boolean] pt_enable_tls whether to use tls encryption for the backend
+# @param [String] pt_pptdb_ca_crt placeholder for the ca.crt
+# @param [String] pt_pptdb_server_crt placeholder for the server.crt
+# @param [String] pt_pptdb_server_key placeholder for the server.crt
 ###############################################################################
 class puppet_cd::params (
 
@@ -113,6 +117,11 @@ class puppet_cd::params (
   String $pt_db_username            = 'foobar',
   String $pt_db_password            = 'foobar',
   String $pt_gc_interval            = '60',
+  Boolean $pt_enable_tls            = false,
+  String $pt_pptdb_ca_crt           = 'Changeme',
+  String $pt_pptdb_server_crt       = 'Changeme',
+  String $pt_pptdb_server_key       = 'Changeme',
+
   ## jetty
   String $pt_http_port              = '8080',
   String $pt_https_port             = '8081',
@@ -155,6 +164,7 @@ class puppet_cd::params (
 ## puppetdb
   $pt_puppetdb_dir                  = '/etc/puppetlabs/puppetdb'
   $pt_puppetdb_conf_dir             = "${pt_puppetdb_dir}/conf.d"
+  $pt_pptdb_ssldir                  = "${pt_puppetdb_dir}/ssl"
 
 # files
 ## puppet
@@ -192,6 +202,12 @@ class puppet_cd::params (
   $pt_repl_ini_erb          = 'puppet_cd/puppetdb/repl.ini.erb'
   $pt_service_conf_file     = '/usr/lib/systemd/system/puppetdb.service'
   $pt_service_conf_erb      = 'puppet_cd/puppetdb/service.conf.erb'
+  $pt_ca_crt_file           = "${pt_pptdb_ssldir}/ca.crt"
+  $pt_ca_crt_erb            = 'puppet_cd/puppetdb/ca.crt.erb'
+  $pt_server_crt_file       = "${pt_pptdb_ssldir}/server.crt"
+  $pt_server_crt_erb        = 'puppet_cd/puppetdb/server.crt.erb'
+  $pt_server_key_file       = "${pt_pptdb_ssldir}/server.key"
+  $pt_server_key_erb        = 'puppet_cd/puppetdb/server.key.erb'
 
 # service
   $pt_server_service                = 'puppetserver'
diff --git a/manifests/puppetdb/files.pp b/manifests/puppetdb/files.pp
index e09d55a..13b0d33 100644
--- a/manifests/puppetdb/files.pp
+++ b/manifests/puppetdb/files.pp
@@ -127,5 +127,47 @@ class puppet_cd::puppetdb::files (
       content  => template($pt_repl_ini_erb),
       notify   => Service[$pt_db_service],
     }
+    if $pt_enable_tls == true {
+      # create tls certs
+      ## ca.crt
+      file { $pt_ca_crt_file:
+        ensure   => file,
+        owner    => 'puppetdb',
+        group    => 'puppetdb',
+        mode     => '0440',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => puppet_etc_t,
+        seluser  => system_u,
+        content  => template($pt_ca_crt_erb),
+        notify   => Service[$pt_db_service],
+      }
+      ## server.crt
+      file { $pt_server_crt_file:
+        ensure   => file,
+        owner    => 'puppetdb',
+        group    => 'puppetdb',
+        mode     => '0440',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => puppet_etc_t,
+        seluser  => system_u,
+        content  => template($pt_server_crt_erb),
+        notify   => Service[$pt_db_service],
+      }
+      ## server.key
+      file { $pt_server_key_file:
+        ensure   => file,
+        owner    => 'puppetdb',
+        group    => 'puppetdb',
+        mode     => '0440',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => puppet_etc_t,
+        seluser  => system_u,
+        content  => template($pt_server_key_erb),
+        notify   => Service[$pt_db_service],
+      }
+    }
   }
 }
diff --git a/templates/puppetdb/ca.crt.erb b/templates/puppetdb/ca.crt.erb
new file mode 100644
index 0000000..11312ba
--- /dev/null
+++ b/templates/puppetdb/ca.crt.erb
@@ -0,0 +1 @@
+<%= @pt_pptdb_ca_crt %>
\ No newline at end of file
diff --git a/templates/puppetdb/server.crt.erb b/templates/puppetdb/server.crt.erb
new file mode 100644
index 0000000..9d4f847
--- /dev/null
+++ b/templates/puppetdb/server.crt.erb
@@ -0,0 +1 @@
+<%= @pt_pptdb_server_crt %>
\ No newline at end of file
diff --git a/templates/puppetdb/server.key.erb b/templates/puppetdb/server.key.erb
new file mode 100644
index 0000000..1b983aa
--- /dev/null
+++ b/templates/puppetdb/server.key.erb
@@ -0,0 +1 @@
+<%= @pt_pptdb_server_key %>
\ No newline at end of file